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ZERO - KNOWLEDGE PROOF CRYPTOGRAPHIC METHODS AND DEVICES 
The present invention relates to asymmetrical key 
cryptography, also known as public key cryptography. It 
relates more precisely to a method and a system for 
verifying the authenticity of a known entity or a message 
coming from a known entity or for signing a message. 

Asymmetrical key cryptography systems use pairs of 
keys, each pair comprises a public key and a private key, 
and each key may include a number of parameters. Each 
public key is linked to the identity of its holder by a 
certification authority. Asymmetrical key cryptography 
systems include entities known as controllers that store a 
number of public keys in conjunction with the certified 
identities of their holders. 

The problem of factorizing integers has been the 
subject of intense research since the invention of the RSA 
asymmetrical key cryptographic method (see the article by 
M. Gardner, "A new kind of cipher that would take millions 
of years to break", Scientific American, August 1977) . 
The name RSA of the algorithm is derived from the initials 
of its inventors R. Rivest, A. Shamir, and L. Adleman. 
Despite considerable advances, more a result of growth in 
computing power than of progress in factorizing 
algorithms, there is still no known method of factorizing 
a large integer in a reasonable time. Users are therefore 
justified in placing their trust in the RSA method. 

Each use of the RSA method is associated with an 
integer n known as the modulus and which is the product 
of two separate large prime factors p x and p 2 . Given 
present-day computing capacities, it is recommended that 
moduluses of at least 1024 bits (of the order of 10 308 ) are 
used. An RSA public key includes the modulus n and an 
exponent e that is prime with 0,-1) and with 0 2 -l). The 
corresponding RSA private key includes an exponent d such 
that (the symbol 11 mod 11 signifies "modulo"): 
e x d = 1 mod [(/?, - l)(p 2 ~ 1)] 



The security of this method relies on the fact that 
it is impossible to calculate d from n and e within a 
reasonable time if the factors p x and p 2 are not known. 
As explained above, it is not possible to calculate these 
factors (which are naturally kept secret) in a reasonable 
time . 

The cryptographic procedure for entity 
authentication uses a controller and a keyholder # 
referred to below as the claimant, who wishes to be 
authenticated by the controller in order to receive an 
authorization, for example the authorization to access 
electronic data processing resources. The claimant 
declares an identity to the controller, and must prove to 
the controller that the claimant holds the private key 
corresponding to the public key linked to that identity. 

It is possible to effect this authentication without 
the claimant disclosing to the controller any information 
at all concerning the claimant's private key: this 
technique is known as zero -knowledge proof authentication 
and is described in general terms by S. Goldwasser, 
S. Micali, and C. Rackoff in their paper "The Knowledge 
Complexity of Interactive Proof Systems" delivered at the 
17 th ACM Symposium on the Theory of Computing 
(Proceedings, 291 to 304, 1985) . 

In the paper "Zero-knowledge Proofs of Identity" 
(Journal of Cryptology, vol. 1, pages 77 to 94, 1988), 
U. Feige, A. Fiat, and A. Shamir propose a zero -knowledge 
proof cryptographic method in which the claimant holds a 
private key Q and publishes an RSA modulus n and a 
public key G = Q 2 modn (it is impossible to calculate Q 
from G, i.e. to calculate a square root modulo n, in a 
reasonable time unless the prime factors of n are known) . 

When the above method is applied to authenticating 
entities, the Fiat-Shamir procedure comprises the 
following interactive steps: 



1. Witness step: the claimant chooses at random an 
integer r, calculates the "witness" i? = r 2 modn and sends 
the witness to the controller; 

2. Challenge step: the controller chooses at random 
an integer d called a "challenge" which can take the 
value 0 or the value 1 and sends the challenge to the 
claimant ; 

3. Response step: the claimant calculates the 
"response" D = rxQ d modn and sends the response to the 

controller; and 

4. Verification step: the controller calculates 

modn and verifies that the result is equal to the 
witness/? . 

For increased security, it is recommended that this 
procedure should be repeated "sequentially" as many times 
as possible before considering that authentication has 
been effected (varying r and d each time) . 

This is a zero-knowledge proof procedure because an 
observer cannot calculate the private key Q of the 
claimant from the data exchanged. 

In a Feige-Fiat-Shamir or parallel variant, the 
claimant holds a number m>\ of private keys Q x ,Q 2 ^^Q m and 
publishes, in addition to an RSA modulus n, respective 
public keys G 1 ,G 2 ,...,G m , where G,. =g r 2 modn for i = . The 

following steps are then executed: 

1. Witness step: the claimant chooses at random an 
integer r, calculates the witness R = r 2 modn and sends the 

witness to the controller; 

2. Challenge step: the controller chooses at random 
m challenges d l ,d 2 ,... 9 d m where d t is equal to 0 or 1 and for 
/ = l,...,/w and sends the challenges to claimant; 

3. Response step: the claimant calculates the 
response D = rxQ dl xg/ 2 x...x^ M modn and sends the response 

to the controller; and 



4. Verification step: the controller calculates 

£l | modn and verifies that the result is 

\g**G?x...xG u 4 ') 

equal to the witness R . 

This parallel variant accelerates the Fiat-Shamir 
authentication procedure compared to the sequential (i.e. 
series) variant referred to above. 

Note further that the calculations required to 
implement either of these variants can be reduced if the 
claimant uses the Chinese remainder theorem well known to 
experts in number theory. The claimant may proceed in 
the following manner. 

Consider first the calculation of the witness R . 
For a modulus n = p x xp 2 , where p x < p 2 , let a number C 
(known as a Chinese remainder) be the positive number 
less than p x such that p x is a factor of (p 2 xC-l). The 
claimant chooses at random two integers r x and r 2 such 
that Q<r x <p x and 0<r 2 <p 2 and calculates the two witness 
components R x = r x mod p x and R 2 = r 2 mod p 2 . The value of the 
witness is deduced therefrom as follows, where 
z = Cx(R x -R 2 ) : 

R = zx p 2 + R 2 

To calculate the response D , the claimant may 
proceed as follows. Private key components Q iX = & mod p x 
and £? I>2 = (?, mod /? 2 are defined for i=l,...,m. The claimant 

first calculates the two response components: 
D x =r x x Q x * x Q 2 X d > x ... x Q m *« mod p x , and 

D 2 -r 2 x Q X2 dx x Q 2 2 2 X...X&,/" mod p 2 . 

The claimant then obtains the value of the response as 
follows, where z = Cx (D x -D 2 ) : 
D = zxp 2 +D 2 

The advantage of this Chinese remainder calculation 
method is that the claimant calculates modulo p x and 
modulo p 2 instead of modulo n under conditions whereby p x 
and p 2 are generally much smaller than n . 



The Fiat -Shamir entity authentication procedure may 
be transposed easily to verification by a controller that 
a message M that it has received was sent by a certain 
keyholder, here also called the claimant. This message 
authentication procedure comprises the following 
interactive steps: 

1. Witness step: the claimant chooses at random an 
integer r and calculates first the witness R = r 2 modn and 
then the token T = h(M, R) , where h is a hashing function 
(for example one of the functions defined in the ISO/IEC 
Standard 10118-3) , and finally sends the token T to the 
controller; 

2. Challenge step: the controller chooses at random 
a challenge d which can taken the value 0 or 1 and sends 
the challenge to the claimant; 

3. Response step: the claimant calculates the 
response D = rxQ d mod n and sends the response to the 

controller; and 

4. Verification step: the controller calculates 

and verifies that the result is equal to 



h\ M, 



— j mod n 

\ G ) J 



the token T . 

Finally, the Fiat -Shamir entity authentication 
procedure can be transposed to define a procedure for 
signing a message M that is sent to a controller by a 
keyholder called the signatory; note that a signing 
procedure is not interactive in itself. The signatory 
holds a plurality of private keys Q l9 Q 29 ^ 9 Q m * where m is 

large compared to 1, and publishes, in addition to an RSA 
modulus n , respective public keys G 19 G 2 ,...,G m where 

G i = Ql mod n and for i = l,...,m. This signing procedure 
comprises the following steps (given the same names as 
above by analogy) : 

1. Witness step: the signatory chooses at random m 
integers r t where i=l,...,nf and calculates first the 

witnesses /^=r, 2 modn and then the token T = h(M 9 R } ,R 2 ,...,R m ) , 
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where h is a hashing function producing a word of m 
bits, and finally sends the token T to the controller; 

2. Challenge step: the signatory identifies the bits 
d x ,d 2 ^d m of the token T ; 

3. Response step: the signatory calculates the 
responses D i =r t x Q. di mod n and sends the responses to the 

controller; and 

4. Verification step: the controller calculates 




mod nJ — 2_ mod w,..., 



V^m J 



mod w 



10 and verifies that the result is equal to the token T . 

Consider now in more detail the security of the 
Fiat -Shamir method. For example, in the case of the 
entity authentication procedure explained above, the 
question arises: is it possible for an impostor (i.e. an 

15 entity knowing the RSA modulus n and the public key G , 
but not knowing the private key Q of the entity that it 
is pretending to be) to fool the controller? 

Note first that the challenge, although random, can 
take only two values: if an impostor guesses the value of 

2 0 the challenge thrown down by the controller during the 

authentication procedure correctly (and thus with a 50% 
chance of success) , could it satisfy all the steps of the 
Fiat -Shamir method without being caught by the 
controller? The answer to this question is yes. In 
25 fact: 

• if the impostor guesses that the challenge will be 
d = 0 it supplies to the controller a witness R = r 2 modn 

and a response D = r ; and 

• if the impostor guesses that the challenge will be 

3 0 d = l it chooses any integer />0 and supplies to the 

controller a witness R = l 2 xGmodn and a response 
D = IxG mod n . 

The Fiat-Shamir procedure therefore has a weakness, 
although its effect can be attenuated, as indicated 
3 5 above, if the procedure is repeated sequentially to 
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render a correct series of anticipations of the challenge 
by an impostor as improbable as possible. It follows 
that, to make this authentication procedure sufficiently 
secure, its duration must be considerably increased. 

International application WO-00/45550 discloses a 
cryptography method that is applicable to an entity 
authentication procedure, a message authentication 
procedure and a message signing procedure and does not 
suffer from this drawback. In that method, the claimant 
publishes not only an RSA modulus n and a public key G 
but also an integer (called the exponent) v = 2* where k 
(called the security parameter) is an integer greater 
than 1. Moreover, if Q is the private key of the 

claimant : 

15 G = £> v modrt (1) 

The authentication procedure of application 
WO-00/45550 comprises the following steps: 

1. Witness step: the claimant chooses at random an 
integer r, calculates the witness R = r v modn and sends the 

20 witness to the controller; 

2. Challenge step: the controller chooses at random 
an integer d called the challenge, where 0<d<2 k ~ x -\, and 
sends the challenge to the claimant; 

3. Response step: the claimant calculates the 
25 response D = rxQ d mod n and sends the response to the 

controller; and 

4. Verification step: the controller calculates 



modn and verifies that the result is equal to the 



\G ) 
witness R . 

3 0 Thus in this procedure the challenge can take 2 k ~ x 

different values (as opposed to only two values in the 
Fiat-Shamir method) , which, for a single execution of the 
above succession of steps, makes correct anticipation of 
the challenge by an impostor increasingly improbable as 

3 5 the value of k increases. 
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This being the case, to enhance security, this 
procedure can of course be repeated sequentially s times 
and/or m pairs of keys can be used in parallel as 
explained above; it is then advantageous to use the 
Chinese remainder theorem for the calculations. In 
practice, because a hacker has more time to crack the 
code in the case of signing than in the case of 
authentication, it is recommended that the product 
[(it-l)xmxs] have a value at least equal to 4 0 in the case 
of authentication and at least equal to 80 in the case of 



signing. 

Moreover, according to application WO- 00/4 5550, the 
public key is required to satisfy the following 
relationship, in which g is a small integer (called the 

15 base number) greater than 1: 

G = g 2 mod n (2) 
Combining the above equations (1) and (2) shows that 
it is necessary to find a pair (g,Q) satisfying the 
following equation for given n and v : 

2 0 Q v =g 2 mod n ( 3 ) 

It can be shown that equation (3) can be solved in a 
reasonable time only by someone who knows the factors of 
the modulus, i.e. the keyholder. In other words, 
calculating a pair of keys conforming to application 

25 WO-00/45550 from the corresponding public parameters is 

just as complicated as factorizing the number n ; the two 
tasks are said to be equivalent in terms of complexity 
and a set of keys implying this kind of equivalence 
satisfies the equivalence criterion. 

30 A first advantage of this state of affairs is that 

there is a reference level of security (i.e. the 
factorization problem) . A second advantage is that a 
holder of keys according to application WO-00/45550 does 
not need to have such a public key certified by a 

3 5 certification authority, i.e. to obtain from that 

authority a certificate linking that public key to the 
identity of its holder; it is only necessary to certify 
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the RSA modulus n , the other parameters being published 
directly by the holder. In contrast, in the Fiat-Shamir 
method, for example, it is possible for different 
entities to construct their own pairs of keys from the 
5 same RSA modulus (Fiat -Shamir pairs therefore do not 
satisfy the equivalence criterion defined above) , and 
consequently each particular public key must be linked by 
a certification authority to the identity of its holder. 
It can nevertheless be shown that there exist 

10 solutions of equation (3) for only certain particular 

moduluses n (representing about one quarter of all RSA 
moduluses) . This is problematic for an entity seeking to 
produce pairs of keys according to application 
WO-00/45550: if that entity already has a collection of 

15 RSA moduluses, it can generally use only some of them to 
construct the keys, whereas if it does not already have 
any RSA moduluses, it will find it more difficult to find 
adequate moduluses than if all (or almost all) the RSA 
moduluses were compatible with the method. 

2 0 Thus a first aspect of the present invention relates 

to an asymmetrical key cryptography method involving a 
keyholder having a number m>\ of private keys Q l9 Q 29 ~. 9 Q m 
and respective public keys G 13 G 2 ,...,G m , each pair of keys 
(Qi,Gi) (where i = l,...,m) satisfying either the relationship 
25 G f . = Qi mod n or the relationship G, x Q" = 1 mod n , where n is 
a public integer equal to the product of / (where f >\) 
private prime factors p l9 ...,p f , at least two of which are 

separate, and the exponent v is a public integer equal to 

a power of 2 . The method is noteworthy in that 

30 v = 2 b+k , 

where i is a strictly positive integer and b = max(b i9 ... 9 b f ) , 

where b ) (where y = l,...,/) is the highest integer such that 
(Pj - 1) / 2 bj ~ x is even , 

and each public key G i (where i=l,...,m) is of the form 

3 5 G; = ' mod n , 



where the base numbers gi are integers strictly greater 
than 1 and the numbers a % are integers such that \<a x <b 
and at least one of them is strictly greater than 1. 

Note that the present invention differs from 
application WO-00/45550 in particular in that each public 
key is of the form G f = modn, where at least one of the 
numbers a § is strictly greater than 1, rather than of the 
form G l =g, 2 modn . 

As shown in the detailed description given below, by 
means of these provisions, regardless of the value chosen 
for the modulus n , and apart from very rare exceptions 
(these particular moduluses being in practice never 
chosen for executing the RSA method) , keys according to 
the invention, i.e. key pairs (g,Q) satisfying the 
conditions briefly stated above, necessarily exist. In 
other words, the method according to the present 
invention is compatible with any RSA modulus. 

According to a particular feature of the invention, 
at least one of said prime factors p l9 ... 9 p f is congruent to 
1 modulo 4 and the integers a t (where i=l,...,m) are all 

equal to said number b . 

This considerably facilitates the construction of 
sets of keys according to the invention. 

According to another particular feature of the 
invention, said base numbers g l9 ... 9 g m include at least one 
number £ s and said prime factors p l9 ... 9 p f include at least 
two numbers p t and p u other than 2 such that, given said 
numbers b x ,...,b f : 

• if b t =b u , then (g s | />,) = -(& | P u ) , and 

• if b t <b u , then (g s \p u ) = -l, 

where (g s \ p t ) and (g s \ pj denote the Legendre symbols of g s 
relative to p t andp M . 

It can be shown that, by means of this feature, the 
keys obtained satisfy the equivalence criteria defined 
above . 
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According to a further particular feature of the 
invention, said method involves a controller and said 
keyholder, here called the claimant. The method is 
noteworthy in that it comprises the following steps: 

• the claimant chooses at random an integer r , 
calculates the witness R = r v modn and sends the witness to 

the controller, 

• the controller chooses at random m challenges 
d l9 d 2 ,...,d m where z=l,...,m and sends the challenges to the 

claimant , 

• the claimant calculates the response 
D = rx Qf x x Q 2 d2 x ... x Q m d « mod n , 

and sends the response to the controller, and 

• the controller calculates 

D v x G* ldl x G 2 ldl x ...x G m Smdm mod n 

where, for i=l,...,m , £, =+1 if xg. v =1 mod n and ^=-1 if 
G f . = mod n , 

and verifies that the result is equal to the witness R . 

It is important to note that it is not necessary for 
a controller and a claimant that use this method to 
exchange all of the witness or all of the response: they 
can, by mutual agreement, exchange only some of the data 
or the result of applying a predetermined hashing 
function to some or all of the data. 

The execution of the method can advantageously be 
accelerated by using the Chinese remainder theorem, of 
course . 

For example, to calculate the witness R , the 
claimant can proceed as follows. For a modulus n = p x xp 2 , 
where p x < p 2 , let C be the positive number (known as the 
Chinese remainder) less than p x such that p x is a factor 
of (> 2 xC-l). The claimant chooses at random two integers 
r } and r 2 such that 0<r 1 <p 1 and 0<r 2 <p 2 and calculates the 
two witness components R x = r x v mod p x and R 2 = r 2 mod p 2 . The 

value of the witness is deduced therefrom as follows, 
where z = Cx(R } - R 2 ) : 
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R = Z X p 2 + i?2 

The claimant can also use the Chinese remainder 
theorem to obtain the response D in a similar manner to 
the calculation technique described above for the 
Fiat -Shamir method. 

Finally, note that the challenges may be limited to 
challenges satisfying the condition 0<J,. <2*-l for i = l,...,m 
(which has the advantage of simplifying the calculations 
both for the claimant and for the controller) . It is 
easy to verify that, for two values of d i differing by 
2 k , the corresponding values of Q?' are deduced from each 
other by a factor g. . As the publication of the public 
keys q, essentially involves the disclosure of the base 
numbers g } , it is seen that the same level of security is 
obtained with challenge values in the range 0<d,<2*-l as 
with challenge values outside that range. 

According to a further particular feature of the 
invention, said method enables a controller to verify 
that a message M that it has received was sent to it by 
said keyholder, here called the claimant. The method is 
noteworthy in that it comprises the following steps: 

• the claimant chooses at random an integer r and 
first calculates the witness R = r v modn, then calculates 
the token T = h(M, R) , where h is a hashing function, and 
finally sends the token T to the controller, 

• the controller chooses at random m challenges, 
where / = l,...,m, and sends the challenges to the claimant, 

• the claimant calculates the response 
D = rxQ l dl xQ 2 d2 x...xQ m dm mod n , 

and sends the response to the controller, and 

• the controller calculates 

where, for i = l,...,m f ^=+1 if G i x Q. v = 1 mod n and £ t = -1 if 
Gi = Qi mod n ' 

and verifies that the result is equal to the token T . 
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The above remark on the values of the challenges in 
the entity authentication method obviously applies 
equally to this message authentication method. 

Note also that this message authentication procedure 
5 is sometimes considered to be a form of message signing. 

According to another particular feature of the 
invention, another way of signing a message, which 
enables said keyholder, here called the signatory, to 
sign a message M sent to a controller, is noteworthy in 
10 that it comprises the following steps: 

• the signatory chooses at random m integers r { , 

where i = l,...,m f and first calculates the witnesses 
R = r v modn, then calculates the token T = h(M y R l ,R 2 ,...,R m ) , 
where h is a hashing function producing a word of m 
15 bits, and finally sends the token T to the controller, 

• the signatory identifies the bits d l ,d 2 ,...,d m of the 

token T , 

• the signatory calculates the responses 
Z),.=A;.xg/' modn and sends the responses to the controller, 

2 0 and 

• the controller calculates 

/*(M,ZV x Gj Ml mod n, D 2 V x G 2 £2d2 mod n,...,D m v x G m * m * m mod n) 

where, for / = l,...,m, £, =+1 if G,. x £ v = 1 mod w and e i = -1 if 

G, = Q- mod n , 

2 5 and verifies that the result is equal to the token T . 

A second aspect of the invention relates to various 
devices . 

This aspect of the invention relates firstly to an 
electronic circuit including a processor and memories 

3 0 that is noteworthy in that it can be programmed to act as 

the keyholder in executing any of the cryptography 
methods described above . 

It relates further to a dedicated electronic circuit 
that is noteworthy in that it contains data enabling it 
3 5 to act as the keyholder in executing any of the 
cryptography methods described above; It may in 
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particular be an application- specific integrated circuit 
(ASIC) . . 

The above two electronic circuits may take the form 
of an electronic microchip, for example. 
5 The invention also relates, thirdly, to a portable 

object adapted to be connected to a terminal to exchange 
data with the terminal and noteworthy in that it contains 
an electronic circuit as described above and is able to 
store identification data and private keys specific to 
10 said keyholder. 

This portable object may be a smart card or a USB 
key, for example. 

The invention also relates, fourthly, to a terminal 
adapted to be connected to a portable object to exchange 
15 data with the portable object and noteworthy in that it 
includes a data processing device programmed to act as 
said controller in executing any of the cryptography 
methods described above. 

The invention also relates, fifthly, to a 

2 0 cryptography system comprising a portable object and a 

terminal both as described above. 

The invention also relates, sixthly, to non- 
removable data storage means containing electronic data 
processing program code instructions for, as said 
25 keyholder, executing the steps of any of the cryptography 
methods described above . 

The invention also relates, seventhly, to partially 
or totally removable data storage means containing 
electronic data processing programming code instructions 

3 0 for, as said keyholder, executing steps of any of the 

cryptography methods described above. 

The invention also relates, eighthly, to a data 
processing device comprising keyholder storage means as 
described above. This data processing device may be a 
35 personal computer or a server, for example. 

The invention also relates, ninthly, to non- 
removable data storage means containing electronic data 
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processing program code instructions for, as said 
controller, executing the steps of any of the 
cryptography methods described above. 

The invention also relates, tenthly, to partially or 
5 totally removable data storage means containing 

electronic data processing program code instructions for, 
as said controller, executing the steps of any of the 
cryptography methods described above. 

The invention also relates, eleventhly, to a data 
10 processing device comprising controller storage means as 
described above . 

This data processing device may be a personal 
computer or a server, for example. 

The invention also relates, twelfthly, to a 
15 cryptography system comprising a keyholder data 

processing device and a controller data processing device 
as described above . 

The advantages of the above devices are essentially 
the same as those of the corresponding methods described 

2 0 above . 

The invention also provides a computer program 
containing instructions such that, when said program 
controls a programmable data processing device, said 
instructions cause said data processing device to execute 
25 one of the cryptography methods described above. 

The advantages of this computer program are 
essentially the same as those of the cryptography methods 
described above. 

Other aspects and advantages of the invention become 

3 0 apparent on reading the following detailed description. 

Consider a modulus n that is generally the product 
of / (where / >1) large prime factors p XJ ...,p f , at least 

two of which are separate, where p x <...<p f andp x <p f : 

n = p x x...x p f 

35 Each factor p jf where y = l,...,/, may be associated 

with a strictly positive integer b, defined in the 
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following manner: (p,-l) is divisible by 2 bj , but not by 
2 bj+l (in other words, b } is the highest integer such that 
(p.-l)/2 bj ~ l is even). It is easy to verify that bj=\ if 
Pj -3 mod 4 and bj>\ if =lmod4 . 

If an entity wishes to become a keyholder, it can 
request a certification authority to assign it an RSA 
modulus n. The entity then constructs a number m>\ of 
private keys fi„fi 2 »->fiL and publishes said modulus n , an 
exponent v and respective public keys G x ,G 2 ,...,G m . 

According to the invention, these quantities conform 
to the following conditions: 

• the exponent is of the following form, where 
b = max^,...,^) and k > 1 : 

v = 2 b+k , 

• each public key G f (where i = l 9 ... 9 m) is of the 
following form, where the base numbers are integers 
strictly greater than 1 and the numbers a k are integers 
such that \<a x <b and such that at least one of them is 
strictly greater than 1: 

G t = mod n , 

• each pair of keys (Q n G f ) (where /=l,...,/w) satisfies 

• either the relationship G i = mod n ( 1/ ) 

• or the relationship G,. x Q" = 1 mod n ( 17 ) 

It can be shown that, for pairs of keys satisfying 
the above conditions to exist, the rank of each key G i 
relative to each prime factor Pj must be odd. In this 
regard, note that "the rank X relative to p " of a 
non-null element x of the body of integers modulo p 
(where p is prime) is the smallest strictly positive 
integer A such that x*=\mo&p (where the successive 
powers of x are taken modulo p ) . 

The condition whereby the rank of G i relative to 

each of the prime factors of the modulus n is odd implies 
that no prime factor pj can be such that (Pj-l) is equal 

to a power of 2; however, the prime numbers satisfying 
this condition (for example 3, 5, 17, and 257) are rare, 
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and even very rare if large numbers are chosen for the 
prime factors of the modulus. 

This property of public keys can be obtained by 
choosing the integers g i and a, in accordance with the 

following rule for all y = l,...,/: 
a, > h(g f ) mod p } 

where, for any non-null integer x of the body of integers 
modulo p (where p is prime), the "height h(x)modp of x 
relative to p " is defined as the highest power of 2 that 
is a factor of the rank of x relative to p . 

One particular embodiment of the invention is 
described next by way of non-limiting example. 

In this embodiment, the prime factors p } of the 

modulus n are chosen so that at least one of them is 
congruent to 1 modulo 4 (the other factors can be 
congruent either to 1 or to 3 modulo 4) . It follows from 
the properties of the associated numbers b } stated above 

that : 

b>\ . 

Moreover, for all / = l,...,m : 

G t =gf mod/i (4) 
Note that, in contrast, the keys defined by 
application WO- 00/45550 (which satisfy the relationship 
Q. v = g. 2 mod n , as indicated above) exist only for the 
moduluses for which all the prime factors are congruent 

to 3 modulo 4 . 

It can be shown that the public keys G i defined by 

equation (4) are of odd rank relative to each of the 

prime factors of the modulus . 

Finally, there must exist at least one number g s 
among said base numbers g x ,—,g m and two numbers p t and p u 
other than 2 among said prime factors p }9 ...,p f such that 

• if b t =b u , then (g s | Pt ) = ~(g s | p u ) (5a) 

• if b t <b u , then (g s \ Pu ) = -l, (5b) 

where the numbers b t and b u (see above for definitions of 
these numbers) are determined relative to p t and p u and 
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(ft I Pi) and (ft I P*> denote the corresponding Legendre 
symbols of g s . 

In this regard, note that the "Legendre symbol 
relative to p ■ (x | p) , of a non-null element x of the 
5 body of integers modulo p (where p is a prime number 

other than 2) is equal to jc (p_1)/2 mod p . It is easily shown 
that (x |/0 = 0 if x is a multiple of /? , (x\p) = +l if * is 
equal to the square modulo p of another element of the 
body, and (x\p) = -l otherwise. 
10 The equations (5a-5b) represent an embodiment of the 

invention in which the keys satisfy the equivalence 
criteria, i.e. in which it is impossible to calculate the 
private keys Q x ,Q 2 , -,Q m from public parameters n , v and 
G,,G,,...,G in a reasonable time unless the prime factors of 

I ? 2. * 7 77! 

15 the modulus are known. 

In contrast, if the factors of the modulus are 
known, the private keys can be obtained in the following 
manner. Let A be the lowest common multiple of the 
numbers (/? y -l)/2 6 , where 7=1,...,/, and let u be the 
20 smallest positive integer such that (wxv + 1) is a multiple 
of A. Each private key satisfies: 

Q.xG" =1 mod n if equation (li) is chosen (i.e. 

G i = Q- mod n ) , or 

Q.=G" mod n if equation (l'l) is chosen (i.e. 
25 G^Q* = 1 mod n ) . 

The private keys Q l9 Q 2 ,~ 9 Q m can also be calculated using 
the Chinese remainder theorem. 

To finish, a few remarks concerning the base 
numbers . 

3 0 It is found that the speed of the calculations 

effected during the execution of the method according to 
the invention increases when the base numbers are taken 
to be smaller. It is therefore recommended that they be 
chosen to be as small as possible. 



19 



For example, the base numbers may be chosen from the 
first 54 prime numbers (the fifty-fourth prime number 
being 251) . 

Alternatively, the first m prime numbers can 
5 systematically be taken as base numbers, that is to say 
gl =2. g 2 =3, g 3 =5, g 4 =7, g 5 =U, and so on. This 
approach has the advantage of simplicity, but does not 
guarantee that a set of keys is obtained satisfying the 
equivalence criterion. However, it can be shown that the 
10 proportion of sets not satisfying the equivalence 
criterion is less than l/2 m ; for example, for m = \6 
(corresponding to g l6 =53) , this proportion is less than 

1/65 536. 



